Thanks for the reply mate.....your still on here 
How you doing?
Yes I'll show you the rest of the code, please forgive me if it looks complicated, I've followed a few tutorials from different books, and I'm still learning this process myself...to try and build a secure application that can be updated......I maybe failing miserably lol 
Ok basically this system uses some other includes. Firstly you have the admin page admin.php:
PHP Code:
<?php require './phpincludes/secure.inc.php'; ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>
<body>
<h1>Admin Section</h1>
<?php echo '<p>Hello ' . ADMIN_NAME . '</p>' ?>
<p>What would you like to do?</p>
<ul>
<?php if (ADMIN_ID == "1" or ADMIN_ID == "2"){ ?>
<li><a href="edit_mods.php"title="Add, edit and delete moderators">Edit Moderators</a></li>
<li><a href="edit_albums.php"title="Add, edit and delete albums">Edit Albums</a></li>
<?php } ?>
<li><a href="upload_new.php"title="Upload a new photo">Upload a photo</a></li>
<li><a href="admin_gallery.php"title="Edit the viewable gallery">Edit the gallery</a></li>
</ul>
<p>Not<?php echo ' <strong>' . ADMIN_NAME .'</strong>? ' ?><a href="<?php echo $_SERVER['../PHP_SELF']; ?>?logout=1">Logout</a></p>
</body>
</html>
I was hoping that I could have user ID's 1 and 2 with a higher level of access.
To have admin.php secure (requiring a username and password) it requires secure.inc.php:
PHP Code:
<?php
// This include will make any page it's attached to secure (Requiring authorisation to view content)
// It makes sure a login form is displayed if the current user is not already logged in
require_once 'access.inc.php';
if (!loggedIn()) {
include 'login.inc.php';
exit;
}
?>
This in turns needs access.inc.php:
PHP Code:
<?php
// This include will determine the current state of the user to see if they are logged in or out, it's set inside a session variable
require_once 'modconfig.inc.php';
session_start();
// Our defined function to determine if user is logged in
function loggedIn()
{
return isset($_SESSION['authorised']);
}
// Process login attempt
if (isset($_POST['username'])) {
if ($_POST['username'] == ADMIN_USER and $_POST['password'] == ADMIN_PASS) {
$_SESSION['authorised'] = TRUE;
}
}
// Process logout
if (isset($_REQUEST['logout'])) {
unset($_SESSION['authorised']);
}
?>
This then calls modconfig.inc.php:
PHP Code:
<?php
// This include will deal with all moderator/administrator sensitive data
require_once 'dbcnx.inc.php';
// Initialise $clean as a new array, so we know data stored within from now on has been filtered
$clean = array();
// Initialse $html as a new array, so we know data stored within from now on has been escaped
$html = array();
$moderators = @mysql_query('SELECT id, name, email, username, pass FROM moderator');
// For each row of this table, escape database data and store it in the empty array $html
while ($moderator = mysql_fetch_array($moderators)) {
$html['id'] = htmlentities($moderator['id'], ENT_QUOTES, 'UTF-8');
$html['name'] = htmlentities($moderator['name'], ENT_QUOTES, 'UTF-8');
$html['email'] = htmlentities($moderator['email'], ENT_QUOTES, 'UTF-8');
$html['username'] = htmlentities($moderator['username'], ENT_QUOTES, 'UTF-8');
$html['pass'] = htmlentities($moderator['pass'], ENT_QUOTES, 'UTF-8');
}
// Escaped data in $html array is assigned to these constant variables for easy output throughout the script
define('ADMIN_ID', $html['id']);
define('ADMIN_NAME', $html['name']);
define('ADMIN_EMAIL', $html['email']);
define('ADMIN_USER', $html['username']);
define('ADMIN_PASS', $html['pass']);
?>
Which finally calls the database connection file dbcnx.inc.php:
PHP Code:
<?php
// This include handles all connection to the database
// Connect to the database or display an error accordingly
$dbcnx = @mysql_connect('localhost', 'database', 'password');
if (!$dbcnx) {
exit('<p>Unable to connect to the database server at this time.</>');
}
// Select database to use or display error accordingly
if (!@mysql_select_db('database', $dbcnx)) {
exit('<p>Unable to locate the database at this time.</p>');
}
?>
If a page has the attached secure.inc.php file it will prompt the user with this login form, via login.inc.php:
PHP Code:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>
<body>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<fieldset>
<legend>Login Details</legend>
<ol>
<li>
<label for="username">Username:</label>
<input type="text" name="username" />
</li>
<li>
<label for="password">Password:</label>
<input type="text" name="password" />
</li>
<input type="submit" value="Log In" />
</ol>
</fieldset>
</form>
</body>
</html>
I'm still learning the basics of PHP and Mysql, so any further advice is very much appreciated. I'm trying to learn about filtering and escaping data to prevent certain security risks. Also, another problem I face is that my host will not allow me to create a folder outside of root, which means I've had to password protect a directory using .htaccess.
Is there a better way I could write this with using fewer files? will it still be considered a secure option, with the ability to update it easily?
Thanks in advance, your help is much appreciated.
Bookmarks